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Abstract 

We propose a polynomial-time attack on the /iHB protocol, showing 
that the protocol does not attain the security it claims. Our attack is 
based on the attack introduced in [2]. 


1 Introduction 

In the modern era of cryptography, researchers have struggled with finding low- 
cost cryptographic primitives suitable for simplistic hardware environments such 
as RFID tags and low-power/cost devices. A popular source of inspiration is 
the Learning Parity with Noise (LPN) problem, which has roots in machine 
learning theory but now has gained a lot of popularity among cryptographers. 
The LPN problem is strongly related to the problem of decoding random linear 
codes, which probably is the most important problem in coding theory. Being 
supposedly hard, LPN plays an important role in post-quantum cryptography 
in contrast to classic number theoretic problems. LPN consists of very basic 
arithmetic operations and is therefore a perfect fit for light-weight cryptography. 

The first ’real’ cryptographic construction based on LPN was the Hopper- 
Blum (HB) protocol [5] - a minimalistic protocol being secure in a passive attack 
model, duels and Weis [6], and Katz and Shin [7] proposed a modified protocol, 
HB^, which aimed to be secure also in the active attack model by extending HB 
with one extra round. However, Gilbert et al. [2] later showed that the HB+ 
protocol is vulnerable to active attacks, i.e., man-in-the-middle attacks. Later, 
Gilbert et al. [3] proposed a variant of the Hopper-Blum protocol called HB^. 

Some of the more recent contributions to LPN-based constructions are a two- 
round identification protocol called Lapin, proposed by Heyse et al. [4] , and an 
LPN-based encryption scheme called Helen, proposed by Due and Vaudenay 
[1]. The Lapin protocol is based on an LPN variant called Ring-LPN, where the 
samples are elements of a polynomial ring. 

Khoureich proposed in [8] a new version of HB called /iHB {harder HB), 
which aims to repair susceptibility against GRS attacks. In this paper, we show 
that this is not the case. 
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2 The hHB protocol 

The author of [8] argues that the weakness of HB is due to that the secret x 
does not change over time. The /iHB protocol is built upon the hypothesis; by 
employing a way of (presumably) securely transmitting a secret session value 
and letting x take this value, [5] aims to patch this weakness. Once the session 
value has been transmitted, the verifier in the /iBB protocol runs the standard 
BB protocol to verify the tag. The /iBB protocol is outlined in Protocol 1. 


Protocol 1 (hHB protocol) 


Tag(s,y) 

Reader(s, y) 


T ■(— (0, 1}, ^0 ^ {Oj 1}) Cl ^ {0; 1} 

(aCo,6) ^- 

{a,l3,j) <- /s(t,^o,Ci,0I'*I) 



Po ^ 

PO <- 

(Repeat k times) 



T <r- {0, 1}, Co ^ (0, 1}, Cl ^ {0; 1} 

(t,Co,Ci)<-A (q;,/3,7,P*-i) •«- 

ia,l3,'y) •{- /s(T,Co,Ci,Pi-i) 

Xi 

Xi 

Pi-1 ^ xiX2 ■. ■ (a;i)l'’l“*+i 

Pi-1 t- XiX2 ■ . . (Xi)''*'“*+^ 

(Repeat r times) 


X <r- XiX2 ■ ■ - Xk 

X t— X 1 X 2 ■ ■ - Xk 


&A{0,1}'= - - 

a 

< - 

ly <— Ber^ 


{ 0 , 1 }'= 


z<^a-x(Bb-y(Biy 


z 




Verify a • x (B b ■ y = z 


The function used by the reader to transmit session values r, 

fsiXl, X2,X3,Pi) ^ (oi, 13,-f) ( 1 ) 

is defined in Algorithm 1. Similarly, the inverse function used by the tag to 
decode session values r, Ci; 

f7\o:,l3,-f)->■ {Xi,X2,X3,p^) ( 2 ) 

is given in Algorithm 2. 

3 The attack 

We will now proceed with describing our attack. We use a method very similiar 
to that of [2]. 
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Algorithm 1 (function /„) 


Input: 

1 ci^—{0,l}^,ti-^ci-(s©pi)©Ai 

Ai, A2, As G { 0 , 1 }, 

2 C2 A { 0 , l}'',t2 t- C2 • (s ©Pi) © A2 

P^ € {0, l}'^ 

3 C3 {0,1}^, 0 ■<— C3 • (s © Pi) © A3 

Output: 

4 if Ai © A2 © A3 = 0 then 

Triple (a, ( 3 , 7 ) 

5 |_ return ((03,^3), (ci,ti), ( 02 , 0 )) 


6 else 


7 |_ return ((02,0), (cs.O), (ci,ti)) 


Algorithm 2 (function /g 


Input: 

1 (ci,ti) ^ a, (02,0) t-/ 3 , (03,0) 7 

Triple (a, / 3 ,7) 

2 Ai t— Cl • (s © Pi) © ti 


3 A2 C 2 • (s ©Pi) © t 2 

Output: 

4 A3 t- C 3 • (s ©Pi) © h 

Ai, A2, A3 G { 0 , 1 }, 

5 if Ai © A2 © A3 = 0 then 


6 |_ return (A2,A3,Ai) 


7 else 


8 return (A3,Ai,A2) 


3.1 Determining secret y 

The tag sends the following 

a • X (Bb ■ y (B V = z 

The verifier checks if the following is satisfied 

a • X ■ y z, 

which is expected to be true for r-E (^ = 0) = r-e of the r samples. If the number 
of correct equations are above some threshold, the verifier accepts. Otherwise 
the veriher rejects. 

First, we ignore the x vector. By intercepting the communication between 
the tag and the verifier, we are able to perturbe the interchanged bits. To 
determine the value of bit of y at index i, we run the following steps. 

1. Let the tag and veriher exchange the session value. For now, this is ig¬ 
nored. 

2. When the tag sends b, we hip the zth bit. So, 

© 1 . 
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3. Then, we let the tag and verifier run the r steps. If the reader returns 
accept, then the bit i/i is very likely to be 0. Naturally, we may amplify 
the probability of a correct guess by re-running the procedure for the same 
bit bi- 

4. By repeating for all k bits, we can determine the secret value y. 


3.2 Determining secret s 

The second stage of the attack aims to determine the secret vector s. In the 
very first step of exchanging the session value po is always 0 ^®!, which is the 
key to our exploit. To determine the value of bit of s at index j, we run the 
following steps. 


1 . 


In the first step of the session-value exchange, flip the jth bit in ci. As a 
result, we have 

Ai i — (ci 0 (5j) ■ s 0 ti. (3) 


where Sj is a vector with 1 on index j and all-zero on the remaing indices. 
Hence, 

I Ai 0 1 if Sj = 1. 

Applying the same procedure to C 2 and C 3 , we are able to conditionally 
flip also A2 and A3. 


2. If the two values satisfy ^0 = Ci (which is true with probability A), then x 
will be perturbed at position 0, i.e., xq <— Everything else remains 

the same. 


3. When the tag is verfied against the reader, we set the jth bit of a to always 
be 1. Hence, the tag will compute 


a ■ X i 
a ■ X i 


<b-yi 

'b-yi 


1 1/ 

I V ( 


if Sj = 0 , 
if Sj = I. 


(4) 


where P (j) = I) = ^. So, if Sj = 1, then the reader will output reject with 
probability Running the procedure a polynomial number of times for 
the same index j will give a good estimate of Sj. 


Implementation of hHB and the MITM attack can be found at [9] . 
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